Immediate breach costs are dwarfed by long-term penalties
European business must beware ‘slow-burn’ costs of attacks, says major insurer Lloyds of London.
Enterprises regularly underestimate the full effects of a cyber attack, and need to prepare more fully for a wide range of negative repercussions, according to new research.
Dubbed the "slow-burn" effects of cyber attacks, the report details the long term issues, including a loss of customers, a fall in share price and other potential consequences in addition to short-term costs such as notifying customers, paying ransoms or public relations expenses.
Other ‘slow burn’ issues include third party litigation expenses, regulatory fines and penalties, loss of management focus, loss of competitive advantage and gradual decline in revenue. These are in addition to immediate costs, including forensic investigation, legal, credit monitoring for customers, business interruption and remediation expenses.
The researchers looked at recent breaches at Target in the US and TalkTalk in the UK. The UK ISP suffered a data breach in 2015 which caused a one-off cost of $52 million, but also led to slow-burn costs of more than $44 million, including an estimate for lost revenue, the report said. The final total was more than $96m, a significant rise from the initial cost.
Other measurable ‘slow burn’ costs for TalkTalk were a rise in customer churn, losing some 95,000 broadband customers, while simultaneously offering free upgrades to customers and some $4m in credits. H2 revenues for TalkTalk grew by just 0.2 per cent compared with the previous six-month growth of 4.75 per cent, a potential $19m of lost revenue and circa $25m impact from the lower customer base with which TalkTalk entered Q4. Customer satisfaction declined from 69 per cent in September 2015 to a low of 64 per cent in January 2016. Finally, in October 2016 the UK Information Commissioner levied its largest ever fine of $496,000 against TalkTalk for its security failings.
Target was not so lucky, with an immediate total cost of $60m, but a slow burn cost of $219m, hitting a total of more than $279m. The slow burn additional costs being down to more than $100m of system upgrades to install chip-and-pin readers at its stores, $5m in customer education and awareness activities, as well as legal settlements with a group of banks, credit unions and MasterCard issuers for $19m, with Visa for $67m and shoppers for $10m.The company also incurred more than $201m of costs in the financial year following the breach, bringing the total cost to more than $261m, while a May 2017 settlement with US States and the District of Columbia has since added a further $18m.
“One lesson is clear though – by reacting swiftly to mitigate the impacts of a cyber breach once it has occurred, thereby minimising immediate costs, companies could reduce their exposure to subsequent slow-burn costs”, said the report, created by Lloyd's of London, KPMG and law firm DAC Beachcroft. Lloyd's has a 20-25 per cent share of the $2.5 billion cyber insurance market, Lloyd's of London Chief Executive Inga Beale told Reuters, a market that is predicted to grow exponentially in the coming years.
Of course, taking steps to mitigate the likelihood of a breach in the first place is a much more cost effective strategy. Ilia Kolochenko, CEO of web security company, High-Tech Bridge said: “Keeping websites and all their components up to date, implementing WAF and 2FA, hosting your data on a dedicated and well-secured web server – these simple precautions can prevent many website security risks at a very reasonable cost. Negligent failure to protect a website containing or processing personal data can give a valid reason to file a lawsuit demanding compensation for all factual damages, while with GDPR enforcement it can also bring serious fines for non-compliance. Breach of PCI DSS requirements can also impose significant monetary penalties.”